Sponsored By

Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

What Do You Do When You Can't Patch Your IoT Endpoints?

The answer, in a word, is segmentation. But the inconvenient truth is that segmentation is hard.

Dr. Mike Lloyd

October 29, 2019

2 Min Read

Question: What do you do when you can't patch your IoT endpoints?

Dr. Mike Lloyd, CTO of RedSeal: Internet of Things devices are great because they aren't as complicated as phones, laptops, or servers. General-purpose computers cause headaches. Unfortunately for security, IoT devices are also a curse for the same reason – precisely because they aren't flexible. The security toolchain and ecosystem we've built up assumes we can put stuff on network endpoints, but IoT "things" are different. Agents? Scanning? Patching? Antivirus? None of that works in the new world of IoT widgets. Worse, many of these devices are built en masse by companies focused on price point, with no intention of supporting patching.

The answer, in a word, is segmentation. You have to treat these fragile endpoints like the boy in the bubble: They have a compromised immune system, so isolate them from the digital germs being cooked up continually around the Internet.

Do your smart lightbulbs really need open access to your databases?  Probably not. Industrial networks know this; they were traditionally air-gapped (although that has broken down over time). Segmentation is easy in principal – just separate the network you use for X for the one you use for Y. The reason to do so is clear: You want to limit the blast radius. But the inconvenient truth is that segmentation is hard. Defenders have to map out their zones and ensure the as-built matches the as-designed. This requires diligence, but it's a great job for automation. Software can be taught to find any defensive gaps.

Do you have questions you'd like answered? Send them to [email protected].

Related Content:

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

About the Author(s)

Dr. Mike Lloyd

CTO of RedSeal

Dr. Mike Lloyd is CTO of cyber terrain mapping company RedSeal. Dr. Lloyd has more than 25 years of experience in the modeling and control of fast-moving, complex systems. He has been granted 21 patents on security, network assessment, and dynamic network control. Before joining RedSeal, Lloyd was the chief technology officer at RouteScience Technologies (acquired by Avaya), where he pioneered self-optimizing networks. Mike served as principal architect at Cisco on the technology used to overlay MPLS VPN services across service provider backbones. He joined Cisco through the acquisition of Netsys Technologies, where he was the senior network modeling engineer.

Mike holds a degree in mathematics from Trinity College, Dublin, Ireland, and a PhD in stochastic epidemic modeling from Heriot-Watt University, Edinburgh, Scotland.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights